aboutsummaryrefslogtreecommitdiffstats
path: root/modules/spanningtree/server.cpp
diff options
context:
space:
mode:
authorGravatar Sadie Powell2026-04-04 01:41:38 +0100
committerGravatar Sadie Powell2026-04-04 01:51:38 +0100
commit3d150ba5da604569f075b20cc560e7d04aeac993 (patch)
tree632d544c28d261424aab96c276494fba05b9c800 /modules/spanningtree/server.cpp
parentFix determining if a TLS certificate is usable. (diff)
downloadinspircd++-3d150ba5da604569f075b20cc560e7d04aeac993.tar.gz
inspircd++-3d150ba5da604569f075b20cc560e7d04aeac993.tar.bz2
inspircd++-3d150ba5da604569f075b20cc560e7d04aeac993.zip
Tighten up the TLS requirements for server links.
Servers must now either provide a fingerprint in the link config or provide a valid certificate. There's an undocumented (for now) opt-out in the config but even with this set it still doesn't allow expired, revoked, or otherwise invalid certificates.
Diffstat (limited to 'modules/spanningtree/server.cpp')
-rw-r--r--modules/spanningtree/server.cpp15
1 files changed, 11 insertions, 4 deletions
diff --git a/modules/spanningtree/server.cpp b/modules/spanningtree/server.cpp
index 7c6c08544..6199673ae 100644
--- a/modules/spanningtree/server.cpp
+++ b/modules/spanningtree/server.cpp
@@ -141,19 +141,26 @@ std::shared_ptr<Link> TreeSocket::AuthRemote(const CommandBase::Params& params)
if (!ComparePass(*x, password))
{
- ServerInstance->SNO.WriteToSnoMask('l', "Invalid password on link: {}", x->Name);
+ ServerInstance->SNO.WriteToSnoMask('l', "Invalid credentials on link: {}", x->Name);
continue;
}
- if (!CheckDuplicate(sname, sid))
+ auto* hook = TLS::GetHook(this);
+ if (hook && !hook->GetCertificate()->IsUsable(!x->AllowSelfSigned))
+ {
+ this->SendError("Peer provided an unusable (probably self-signed) TLS certificate");
return nullptr;
+ }
- if (TLS::GetHook(this) && !IsLocalRange(capab->remotesa))
+ if (!hook && !IsLocalRange(capab->remotesa))
{
- this->SendError("Non-local server connections MUST be linked with SSL!");
+ this->SendError("Non-local server connections MUST be linked with TLS");
return nullptr;
}
+ if (!CheckDuplicate(sname, sid))
+ return nullptr;
+
ServerInstance->SNO.WriteToSnoMask('l', "Verified server connection " + linkID + " ("+description+")");
return x;
}